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Abstract 

In a previous FAST paper, I presented a quantitative model of the process of 
trust building, and showed that trust is accumulated like wealth: the rich get richer. 
This explained the pervasive phenomenon of adverse selection of trust certificates, 
as well as the fragility of trust networks in general. But a simple explanation 
does not always suggest a simple solution. It turns out that it is impossible to 
alter the fragile distribution of trust without sacrificing some of its fundamental 
functions. A solution for the vulnerability of trust must thus be sought elsewhere, 
without tampering with its distribution. This observation was the starting point of 
the present paper. It explores a different method for securing trust: not by redis- 
tributing it, but by mining for its sources. The method used to break privacy is thus 
also used to secure trust. A high level view of the mining methods that connect the 
two is provided in terms of similarity networks, and spectral decomposition of sim- 
ilarity preserving maps. This view may be of independent interest, as it uncovers a 
common conceptual and structural foundation of mathematical classification the- 
ory on one hand, and of the spectral methods of graph clustering and data mining 
on the other hand. 

1 Introduction 

1.1 What is trust? 

Trust is an internal assumption of honesty. In protocol analysis, we often assume 
that a principal Bob is honest. This usually means that Bob acts according to the pre- 
scriptions of a role in a given protocol. The notion of trust internalizes this assumption 
as a belief of another protocol participant Alice. We say that Alice trusts Bob when she 
believes that Bob will act according to a given protocol; e.g., 

• when Alice is a shopper, she trusts that the shop Bob will deliver the goods; 

• when Alice is a shop, she trusts that the shopper Bob will pay for the goods; 

• when Alice uses public key infrastructure, she trusts that Bob's key is not com- 
promised; 
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• in an access control system, Alice trusts that Bob will not abuse resources. 
1.1.1 Trust process 

In economics and game theory, trust is the instrument for transitioning from static 
rationality of non-cooperative behaviors to dynamics of cooperation [2|. To limit the 
risk exposure of the participants, trust is built gradually, keeping the cost of an attack 
at each point below a certain threshold of risk. Once the accumulated trust is above 
the required threshold, then it can be used as a basis for cooperation. Trust can thus be 
viewed as a process in two phases, trust building and trust service, that alternate as on 
Fig. [I] 




Trust service 



Figure 1 : Trust cycle 

• Trust building is a process of incremental testing of another party's honesty, viz 
her readiness to cooperate within the framework of a given protocol. The out- 
put of this process are the trust scores, which record whether the party behaved 
honestly in the past transactions. This process was analyzed in [35 1. 

• Trust service uses the trust scores to guide some further transactions: a higher 
trust score attracts more transactions. The feedback about their outcome can be 
used to update the trust scores. 

Remarks. There is a sense in which the process of trust building can be viewed as 
a foundation for authentication. When realized by means of a protocol, authentica- 
tion is always based on a secret ("something you know"), or a token ("something you 
have"), or a biometric property ("something you are"). But the secret, the token, or the 
property must be previously authenticated to assure the current authentication. Every 
authentication must be preceded by another authentication. So a formal authentication 
is then a process of infinite regression, "turtles all the way down'Q?! The notion of 
trust resolves this infinite regression. The process of trust building can be viewed as a 
primordial form of authentication, usually very weak, traversed in small, risk limiting 
steps. Of course, it generates trust, rather than a secret; but a first authentication proto- 
col between two parties, which does generate a secret, is usually based on some form 

'The idea of a world standing on the back of a giant turtle is attributed to early Hindu philosophers. The 
idea that the turtle may be supported by another turtle, and so on, "turtles all the way down", is attributed to a 
mythical old lady who attended a lecture of a mythical philosopher, varying from William James to Bertrand 
Russell. This idea may have been sparked by Lewis Carroll's use of tortoise in the regression arguments | 6 |. 
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of trust; and the further, stronger secrets are then derived from each other. Indeed, the 
first SSH tunnel to an unknown server requires a leap of trust from the client; the first 
contact with a new certificate authority can only be based on trust, and so on. 

Trust service has many different forms, which lead to the diverse forms of trust 
research. In the simplest case, a user records her own experience in an individual trust 
vector, and uses it to make her own choices. In large networks, and in processes with 
many participants, a wider range of choices is made possible by a trust service which 
records collaborative trust vectors, and supplies trust guidance for users and providers 
that had no previous experience with each other. This leads to the distinction between 
direct and indirect trust J3] |40] 120). In practice, indirect trust can be extracted from 
user feedback submitted to a trust server; or by surveillance and interpretation of the 
network structure and transactions: e.g., a return customer conveys trust by returning to 
the same shop, whereas she conveys dissatisfaction by returning the purchased goods. 
Each of the approaches to aggregating indirect trust has its vulnerabilities and short- 
comings. On the other hand, indirect trust service is indispensable not only for web 
commerce, but also for Public Key Infrastructure Ifl9l[37l . 

1.2 The problem of trust and the paradox of trust services 

Breaches of trust have been one of the hardest problems of social interaction since 
the dawn of mankind. Treason and betrayal attract the harshest punishments in all 
civilizations; and Dante reserved for these sins the deepest, Ninth Circle of Hell. But 
the problem of trust is not that it can be breached and abused. That is a part of its normal 
functioning. The problem of trust is that it can be farmed, transferred, marketed, and 
hijacked for the purpose of being breached and abused. 

With the advent of networks and web commerce, the social processes of trust ex- 
tend into cyberspace, engineered into various trust services, including feedback, rec- 
ommender, and reputation systems lfT3ll2Tll22l[38ll . as well as the public infrastructures 
and web of trust 1 19 1. This escalates the problem of trust to a new level. Oversimplify- 
ing a little, the problem can now be stated as a "paradox", namely that 

• trust is not transferable, but that 

• trust services must transfer trust. 

On one hand, Alice's trust that Bob is honest is distilled from the experience of 
their past interactions, in order to guide their future interactions. If the purpose of trust 
is thus to record Alice's view of Bob's behavior, then transferring trust defeats this 
purpose. Indeed, if Bob has been honest towards Alice, it does not mean that his friend 
Dave will also be honest, or that Bob will also be honest towards Alice's friend Carol; 
or that Bob will be honest in a different kind of interaction. 

On the other hand, in a large network, only a small portion of the participants can 
be expected to have direct previous interactions. For all others, the trust guidance must 
be somehow extrapolated. This is the task of a trust service. So if Alice and Bob never 
met, the trust service must derive a prediction of a future trust rating between them 
from Carol and Dave's available trust data, assuming that these two met, and that they 
are somehow related to Alice and Bob. So a trust service must transfer trust. 
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The compromises needed to resolve this paradox of trust lead to insecure trust 
services. But the vulnerabilities of trust services are different from the vulnerabilities 
usually studied in security research, where distinct attackers launch structured attacks. 
We first describe some examples of transferrable trust, and then their vulnerabilities. 

1.2.1 The simplest forms of trust transfer 

The most general form of transferrable trust is reputation. Bob's reputation is a state- 
ment about his honesty established by freely sharing the informations from the par- 
ticipants who interacted with him. If Alice never met Bob, she can rely upon his 
reputation, built and distributed in a peer to peer process, or by a devoted reputation 
service. E.g., Google's PageRank algorithm [4| can be viewed as a reputation service, 
derived by interpreting the hyperlinks as implicit trust statements [26 36]. The main 
idea of Google's trustworthy search is to present the pages where the queried keyword 
is found ordered according to their reputation. 

Another simple method of trust transfer are trust certificates. Instead of keeping her 
trust in Bob's honesty for herself, Carol states this in a trust certificate, which she gives 
to Bob. Bob shows the certificate to Alice, and if Alice trusts Carol's recommendations, 
she will also trust Bob. 

1.2.2 Adverse selection 

Adverse selection is perhaps the most striking manifestation of the problem of trust. 
In the social processes of reputation, it manifests itself through the observations that 
"the pillars of the society" (to use the title of Ibsen's play 1(161 ), the most trusted social 
hubs, seem more likely to turn out malicious or corrupt than the average members of the 
group. In online trust services, this moral problem from old novels and stage tragedies 
becomes a technical problem for security researchers and engineers. It also becomes a 
harder and more pernicious problem, because the commercial aspects of trust services 
provide additional incentives for strategic behavior, and concrete payoffs for focused 
attacks. 

The adverse selection of trust certificates in web commerce was empirically doc- 
umented in [9|. Through a battery of measurements and statistical analyses, it has 
been established that the web merchants with trust certificates are on the average twice 
as likely to scam their customers as those without such certificates. The claim was 
confirmed, with inessential variations, for all major trust certificate issuers. The phe- 
nomenon does not seem to be due to a lack of diligence, conflict of interest, or to 
a conspiracy between the merchants and the trust authorities, as it persists for other 
forms of trust certification. E.g., the sponsored links served by any of major search 
engines in response to a query are also on the average twice as likely to lead to scam 
as the organic results served in response to the same query, although the former are 
implicitly certified by the engine. 

An explanation of adverse selection in terms of a basic model of dynamics of trust 
building was offered in [35 1. Since trust is built by updating the trust ratings following 
the positive or the negative interactions with the selected servers, and the selection of 
these servers is based on the previous trust ratings, it follows that trust attracts more 
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trust: the servers with a higher trust rating are more likely to attract transactions, and 
thus to subsequently accumulate more trust, provided that they remain honest. This 
"rich get richer" schema ||34l results in a power law, or scale-free distribution of trust 
ratings fl32l [33l . Its structural consequence is that there is a significant "heavy tail", 
consisting of the servers with very high trust ratings. Such distributions are well known 
to be robust under random perturbations, but extremely vulnerable to adaptive attacks 
[8|. Intuitively, theft is more attractive and more harmful if very wealthy victims are 
available. 

The fragility of scale-free networks, and the vulnerabilities arising from their dis- 
tribution, cannot be mitigated by direct policy measures that would change the network 
structure. The power law distributions are not just a source of vulnerabilities, but also 
the basis of robustness of some networks. Such distributions are a pervasive mani- 
festation of evolutionary dynamics of networks that arise from biological, social and 
economic processes. Modifying this dynamics is not a way to security. The heavy tails 
of wealth were, of course, redistributed many times throughout history, but they al- 
ways re-emerged. The problems of heavy tails and adverse selection, and the problem 
of trust, require a different solution. 

1.3 Mining for trust 

The data mining methods are often viewed as the main threat to privacy. We explore 
ways to make trust less abstract, and thus more secure, using the same methods. The 
idea is that trust and privacy are, in a sense, two sides of the same coin: the need for 
privacy arises from a lack of trust. Following this crude idea, we mine trust concepts 
from trust scores, to better control the trust transfer and to fine tune the trust services. 

Related work 

Initially, the trust relationships were analyzed mainly in the frameworks of access con- 
trol |UJ|25) and public key infrastructure flU |40] [271 [3T] [37] . The idea of trust network, 
and the elements of a probabilistic analysis of trust dynamics, go back to 0. The 
emergence of peer-to-peer and business-to-business service networks reawoke interest 
for this line of research, and amplified its impact [ 1 3 22 23] [30] . 

A different family of methods has been used to analyze the logical structure of the 
trust relationships, which are now viewed as the statements of principals' beliefs about 
each other. The various forms of uncertainty arising in such beliefs lead to the various 
nonstandard logical features ||5l H4l fl8l l25l l28l l29l [lOl . 

The two types of trust research can be viewed as two projections of the trust net- 
work structure. The former type studies global dynamics of the trust relations in the 
form a — ► £, projecting awa>|j the trust concepts <£. The latter type studies logics of 

r 

O 

trust and the local trust relations in the form a — > I as a rely-guarantee exchange, pro- 
jecting away the trust ratings r. Our previous analysis in ll35l was of the former type, 
as we ignored trust concepts and focused on quantitative dynamics of trust ratings. In 

2 In I27ll31|[37l the trust concepts are present, but they carry very little structure: they are just labels used 
to distinguish, e.g., the delegation certificates from the binding certificates. 
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the present paper we show how the qualitative distinctions of trust concepts (D naturally 
arise from this quantitative dynamics of trust ratings r. The idea to mine them using 
the Singular Value Decomposition [11, Sec. 5.4.5] can be viewed as an extension of 
Latent Semantic Analysis [7] to the domain of trust. 

Outline of the paper 

In Sec. |2] we motivate by a toy example and introduce the formal framework of trust 
graphs. In Sec|3]we spell out the connection between the trust formalism and a similar- 
ity formalism, which explains and justifies the methods we use to mine trust concepts 
from trust data. The main formal result is Prop. [6] Its main consequences are drawn in 
Sec. 13.41 The results are applied on the toy example in Sec l3.5l As always, the final 
section contains a summary of the result and some comments about the future work. 

2 Trust graphs 

In web commerce and social networks, trust services are provided through feedback, 
recommender, and reputation systems lfT3ll2Tll22l[38l , deployed as an integral part of 
a wider environment (such as Netflix, Amazon, eBay, or Facebook), or as a devoted 
service (on the span from TrustE and Verisign, to Epinions and Yelp). They are the 
cyberspace complement of the social processes of trust. The central component of 
most such systems is a network of users and providers, connected by trust ratings. This 
is what we call a trust network. Its purpose is to support transfer of trust, and supply 
trust recommendations, or support or refine the existing trust scores. 

2.1 A toy example 

An example of a trust network is given in Fig. [2] Let us suppose that it is derived from 

S O 




Figure 2: A trust network 



the market transactions in a small town, deep in the World Wild West. The market con- 
sists of four web shops, say O = {i, j, k, €}, and five shopping agents S = {a, b, c, d, e}. 
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A local bank clears all payments in town, and the diligent banker maintains the ma- 
trix of trust scores, like in Table 1 . Suppose that the scores are derived from the total 
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.35 


.21 


-.56 


1.02 
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-.12 








.98 



Table 1 : Trust scores 

value of the transactions and from user feedback, in a uniform way. The fields are 
empty where there are no data. The negative entries result from negative feedback, or 
returned goods. The scale of the scores is irrelevant, provided they are all obtained in 
the same way. The banker provides some trust recommendations, in support of a stable 
market. Some of the typical tasks are: 

• Predict the missing trust scores: E.g., how will the shopper d like the shop (1 

• Refine the existing trust scores: Suppose that the merchant i acquires the shop j, 
with the intention to deliver the same services through both outlets. Which shop 
should now be recommended to the shopper b when he decides to fill her virtual 
pantry? 

We study the second type of query here in detail. The approach to the first query is 
sketched in the final section, but the details must be left for the sequel to this paper. 

2.2 Formalizing trust 

Formally, and a little more generally, a trust score, or trust statement, can be viewed as 
o 

a quadruple a — * c , where 

r 

• a is the trustor, 

• I is the trustee, 

• O is the entrusted protocol (concept, property), and 

• r is the trust rating. 

The trust statements a — > t can be viewed as the edges of a bipartite labelled graph, i.e. 

r 

the elements of a set B given with the structure 

M = (ExR^B^^xO) 

where 

• S and O are the sets of trustors and trustees (or subjects and objects) respectively, 
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• E is a lattice of entrusted concepts, 

• R is an ordered ring of ratings, usually the field of real numbers. 

We call such a bipartite graph a trust graph. This is what a trust services works with. 

2.3 Idea: Qualifying trust 

o 

In a trust statement a — > (, the trust score r quantifies a's trust for (. The trust concept 

r 

(D qualifies it. Qualified trust is less abstract, and thus less vulnerable to unwarranted 
transfers. We develop an algebra of trust concepts, as a tool for mitigating the vulnera- 
bilities of trust transfer. 

The strategy is to first mine for trust cliques from the trust graph data. Intuitively, a 
trust clique is a set of trustees who trust the same trustors; or a set of trustors trusted by 
the same trustees. In the second step, a trust concept will be defined as a pair of trust 
cliques, one of trustors, one of trustees, correlated by trust. An abstract framework for 
clustering the trustors and the trustees sets the stage for recognizing the trust cliques 
and concepts. 

3 Clusters and concepts 
3.1 Similarity networks 

Definition 1 A similarity network is a set A together with a similarity map s = sa : 
Ax A — > [0, 1] such that for all x,y e A holds 

s(x, x) = 1 s(x, y) = s(y, x) 

A similarity morphism between similarity networks A and B is a map f : A — > B such 
that for all x,y € A holds 

s A (x,y) < s B (fx,fy) 

Definition 2 For similarity networks A and C, a clustering c : A -» C is a pair of 
similarity morphisms c = {c',c"), where 

• c' : C — » A satisfies s c (x,y) = s A (c'x, c'y) for all x,y € C, and 

• c" : A — > C satisfies c" o c' - idc- 

Intuitively, the surjection c" : A — > C maps each node z £ A into a unique cluster 
c"z e C, whereas the injection c' : C — » A picks a representative c'x € A from 
each cluster z e C, in such a way that the similarity of the clusters s c (x,y) is just the 
similarity of their representatives s A (c'x, c'y). 

Some similarity morphisms determine a canonical clustering for both networks that 
they connect. 
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Definition 3 The spectral decomposition of a similarity morphism f : A 
of clusterings A -» £/j «- B smc/z f/zaf 



Z? is a pair 



f 



v ou 





The similarity network is the cluster range of f. 

Lemma 4 Whenever it exists, the spectral decomposition of is unique up to a similarity 

U V S t 

isomorphism. More precisely, if both A -»//«- B and A -» K «- are spectral 
decompositions of the same similarity morphism, then there is an isomorphism i : H — » 
K such that u' = s' o i anc/ v' = f' ° t (which implies s" = i o m" one/ f" = t o v"J. 




3.2 From trust graph to similarity networks 

The spectral decomposition will turn out to be useful for mining and extrapolating trust 
concepts in a trust graph. At this stage, though, we ignore the task of extrapolating the 
missing trust scores, and restrict attention to complete submatrices of the given trust 
graph. E.g., from Table 1, we first just take the matrix 



M = 



1.25 1.05 1.12 1.57 N 
.83 1.13 1.02 .35 
.35 .21 -.56, 



corresponding to the subnetwork spanned by the trustors a,b,c,d and the trustees i, j, k. 
Over these two sets, we first form vector spaces R^^^l and R l '- j ' k K We are actually 
only interested in unit vectors, i.e. in the sets 

X = {ipeR {aM] \\>fi\ = 1} 
© = {§ e R {u '* ! 1 1#| = 1} 

The elements of £ represent the communities of trustors; the elements of are the 
communities of trustees. The components of a community <p = (tp a ipb fc <Pd) 
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quantify the participation of each member. Both 2 and can be naturally viewed as 
similarity networks, as the similarity of two communities can be measured using their 
inner product: 

s z (^) = IW>l *e(0,T) = |<0|T>| 

Remark. The absolute value in the definition of similarity means that, strictly speak- 
ing, each community is represented by two unit vectors <p and -<p, which are indistin- 
guishable since sz(ip, ip) — sj.(—<p, 4>) for all i/^el Geometrically, a community is thus 
actually not a unit vector, but a ray, i.e. the 1 -dimensional subspace generated by it. 
When the confusion is unlikely, we tacitly identify rays and the pairs of unit vectors that 
represent them. 

All this begins to make sense when we observe that the linear operator M : E} a,b,c ''® — 
R' ,Jjl , determined by the matrix M of trust scores, induces a map M : S — > 0, defined 



Mip = 



Mip 



But unfortunately, this is not a similarity morphism. E.g., it strictly decreases the simi- 
larity of 



<P = 



o ^ 

.5 
.3 



and 



( .25 ^ 
.5 
.4 

.15; 



3.3 Concepts generate clusters 

The following definition formalizes the intuition from Sec. 



Definition 5 Let J[ and !B be finite dimensional real vector spaces, M : J[ — > 2> 
a linear operator, and M T : £ — * its transpose. Let A and B be the sets of 1- 
dimensional subspaces, i.e. rays in and !B respectively. A pair (a,B) € A X B is 
called a concept with respect to M if Ma = B and M T B = a. The concept spectrum Em 
is the set of all concepts with respect to M. 

Now we circumvent the obstacle noted at the end of the preceding Section, and 
relate concepts with clusters. 

Proposition 6 Let Ji and & be finite dimensional vector spaces and A and B the in- 
duced similarity networks. Then every linear operator M : J{ — > S induces a unique 
linear operator F — Fm ■ ^ — * S such that 

• the map F : A —> B, defined by Fip — is a similarity morphism, 

• there is a spectral decomposition A -» (F) «- B, and 

• the cluster range \F^ is generated by the concept spectrum E m, in the sense that 
every element of[F^ is a convex combination of concepts with respect to M. 
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Proof. By the Singular Value Decomposition ifTTl Sec. 2. 5. ,5.4.5], the matrix M can be 
decomposed in the form 

M = VAU T 




where 

• U and V are isometries, i.e. U T U = id and V T V = id, whereas 

• A is a positive diagonal matrix. 

The latter implies that A is an isomorphism, so we can take J\ — S without loss of 
generality. The operator F = Fm can now be defined 

F = VoU T 




The claims follow by passing from vector spaces to the induced similarity networks of 
rays. □ 

Comment. The preceding Proposition has some interesting conceptual and technical 
repercussions, that may not be immediately obvious. Conceptually, it displays the 
connection between clustering in the style of mathematical taxonomy ifTTll . and concept 
mining in the style of Latent Semantic Analysis 01 . By showing how the Singular 
Value Decomposition extracts the similarity invariants, it explains why the abstract 
algebra of matrix decomposition yields semantically meaningful results. The proof also 
determines the formal sense in which the singular values are semantically irrelevant — 
the statement often heard from the practitioners. We shall see below what kind of 
information the singular values do carry, and also how factoring them out opens up an 
alley towards gluing spectra, and towards extrapolating the missing trust scores. The 
technical repercussions of Prop. [6] follow from there. 

3.4 Trust qualified 

The first consequence of Prop.[6]for trust is that any trust matrix M can be decomposed 
into qualified trust matrices. 
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Corollary 7 The similarity preserving matrix F induced by a matrix M from Prop. [6] 
decomposes in the form 

F — with 

OeE M 

Fo = V*°f/J 

where 

• Em is the concept spectrum of M, 

• Vo and t/o denote the columns ofV and U. 

The matrices F® are called qualified trust matrices induced by M. The matrix M itself 
decomposes as 

M = Yj ^F® 

4>eE m 

where A® are its singular values. 

Comment. Componentwise, the above decomposition means that each trust rating M a ( 
is thus decomposed in the form 

M a c = 2u r® with 

OeE M 

ro = A<bV 'floV '(<s> 

The component r$ measures the contribution of the trust concept to the trust rating 
M a (. When M a t is viewed as the edge a — > t of the corresponding trust graph, then the 

r 

above decomposition becomes 

a > t 

The vector 2$ '"o't is in the range space of M, generated by its concept spectrum. 



3.5 Mining for concepts in the World Wild West 



To apply Prop. |6j the banker in our town in the World Wild West first decomposes the 
matrix M from Sec.|3.2|to the form M = VAU T , where 



V = 



f.83 -.4 
55 .6 
.7 ) 



A 



3 
1 



U 



r.5 


\ 


.5 


.5 


.5 


.3 


1.5 


-.8, 



The trust graph corresponding to M and its decomposition are displayed on Figures [3] 
and |4] (with the links omitted). The new nodes in-between the shopping agents S and 
the shops O emerge from the trust concept spectrum Em = {®i,<I>2}. The decompo- 
sition shows that, e.g., c's total trust rating 1.12 for the shop i turns out to consist of 
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Figure 3: Trust graph M 



Figure 4: Decomposition of M 



a positive qualified trust rating .5 x 3 x .83 = 1.24 for the concept <S>i and a negative 
qualified component .3xlx(-.4) = -.12 for the concept <1>2. The concepts induce the 
qualified trust matrices 



Ft = 



F 2 = 



(.83) 




.55 


(•5 


I J 




'-A* 




.6 




I 7 , 





(.5 .5 .5 .5) = 
(0 .5 .3 -.8) = 



'.41 


.41 


.41 


.4F 




.27 


.27 


.27 


.27 




lo 








0) 




'0 


-.2 


-.12 


.32 


i 





.3 


.18 


-.48 


lo 


.35 


.21 


-.56, 



The similarity preserving matrix from Prop.|6]is F = F\ + F%. On the other hand, the 
trust matrix M is decomposed as M = 3F\ + F 2 . 

What has the banker learned by decomposing the trust matrix in this way? Whether 
he was aware of the trust concepts cDi and <1>2 or not, they are the intrinsic coordinate 
axes of trust in his town. It may be that the shoppers in the World Wild West mainly 
shop for two things, say guns and food (like in the Old Wild West). If the trust ratings 
in the matrix M are proportional to the value of the transactions from which they are 
derived, then the trust concept <t>i, corresponding to the singular value A\ = 3, may 
correspond to guns, and the trust concept <t>2 to food, with the singular value A 2 - 1, 
reflecting the fact that the average cost in a gun purchase is 3 times higher than the 
average cost in a food purchase. If the trust ratings are based on user feedback, then 
the eigenvalues tell that the shoppers assign 3 times higher value to guns; or that the 
gun community is 3 times more influential than the food community. Most shoppers 
and most shops belong to both communities, but the former one is more important for 
them. 

In any case, the banker now reads off from the matrix decomposition that shop i 
sells high quality guns, and carries the highest qualified trust rating .83 for <J>i ; but that 
it also carries very bad food, as the negative qualified trust rating of -.4 for <t>2 shows. 
On the other hand, the shop k, whose total trust ratings are the lowest of all, actually 
supplies the best food, as reflected by the highest qualified trust rating .7 for O2. So 
if the banker wants to support an efficient market, he will recommend the shopper b 
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to go to k if he needs to fill his virtual pantry, and to i if he needs a gun. In general, 
the shoppers shopping for food should use the qualified trust matrix F\ ; the shoppers 
shopping for guns should use the qualified trust matrix F2. 

3.6 Effectiveness and scalability of the approach 

The described spectral decomposition is based on the Singular Value Decomposition. 
The Singular Value Decomposition of a large matrix M can be effectively computed, up 
to any desired precision, by the standard iterative methods. Kleinberg's HITS algorithm 
Il24l is an example of such a method, previously used for recognizing web spam IfTSl . 
If a finite precision suffices, then a matrix can be decomposed much faster, in a single 
sweep, by bidiagonalization followed by some eigenvalue algorithm. Bidiagonalization 
of an O x 5-matrix M is quadratic in iS and linear in O ||39l Chap. 31]. The eigenvalues 
of bidiagonal matrices are computed in linear time. Several versions of this approach, 
applicable to large examples, are implemented, e.g., in the GNU Scientific Library lfl2l 
Sec. 14.4]. 

4 Final comments and future work 
4.1 Summary 

In ll35l and in Sec. ll.2l we saw that the fragile distribution of trust arises from the fact 
that it is like money: money makes money, and trust attracts more trust. In fact, the 
roles of money and of trust in a market essentially depend on their main shared feature, 
that they are both abstractions of past interactions. Both trust and money are acquired in 
exchange for concrete goods and services; but these origins are "laundered", abstracted 
away, so that money and trust can be used for any type of goods or service^ In the 
case of money, this abstraction is what allows the flow of the investments towards more 
profitable areas. In the case of trust, this abstraction allows trust transfer, which is 
needed to facilitate new interactions. But it also leads to the vulnerabilities of trust, 
and to the paradox of the trust services, discussed in the Introduction. 

Arguably, the scale-free distribution of trust facilitates its adverse selection; but 
it is actually the abstraction of trust that enables this adverse selection. Moreover, 
the profitability of farming, selling and hijacking trust is increased because the trust 
ratings accumulated for one service can be used for another one. It is therefore not 
surprising that a market of trust is rapidly developing among the web merchants, e.g. 
on eBay and Amazon. The shops with high ratings and good feedback are often sold 
to new owners, for whom the accumulated trust has a higher value. They usually keep 
the same name and appearance, but they are consolidated into chains, and sometimes 
offer new goods and services. The difference in the valuation of trust between the old 
and the new owners is in some cases due to economy of scale: the chains are more 
profitable because they have lower maintenance costs. In other cases a higher trust 
valuation arises from using the purchased trust for a more profitable type of service. 

3 Vespasian pointed out that "Pecunia non olet": the money that he collected from the taxes on urinals 
bears no smell of its origin. 
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Some trusted services are acquired by scammers, who have a very high valuation for 
trust. Hence adverse selection. 

One way to make trust more reliable is thus to make it less abstract, by binding it 
to the trust concept for which it was accumulated. We showed how trust concepts can 
be reconstructed from the structure of a trust graph even when only records the scores. 
Such a trust network, recording the trust between some users and some providers^ 
can be built collaboratively, or by surveillance of the network transactions, indexing 
network links, with or without a direct participation of the users. 

For simplicity, we presented the trust mining algorithm on a trust network spanned 
by the trust relations a — » (, with the trust concepts initially abstracted away. The 

r 

trust concepts O were then reconstructed by mining. However, for the price of some 

o 

technical complexity, the same approach extends to trust relations in the form a — > {, 

r 

with the trust concepts previously qualified from a given lattice of concepts E given in 
advance. After a period of trust building, recorded in a trust network, the lattice E is 
refined to capture the additional trust concepts that emerge from the new interactions. 
In this way, the concept lattice E evolves. While E can be thought of as a propositional 
logic of concept, it should be noted that is obtained as a lattice of subspaces of a vector 
space. Such lattices are modular, but not distributive. In other words, the logic of con- 
cepts does not support a deduction theorem. This phenomenon is known to reflect the 
presence of hidden variables. Explaining it, and developing concept logic in general, 
is an interesting task for future work. But there is much more. 

4.2 Future work 

The problem of extrapolating the missing trust ratings, predicting how much Alice can 
trust Bob for her particular requirements, and providing a trust recommendation even 
if they never met, is probably the most important part of mining for trust. There is no 
space to continue with that task in the present paper. It should be noted, though, that the 
approach through similarity networks and spectral decomposition of their morphisms 
provides a crucial tool for this task. It arises from the universal property of the spectral 
decomposition. If the similarity morphisms /b : Ao — > Bq and f\ : A\ — > B\ are are both 
contained within a partial similarity morphism / : A — > B, along the inclusions of Ao 
and A\ in A, and of Bq and B\ in B, then the universal property implies that the spectral 
decompositions of /q and f\ can be glued together. This allows us to extrapolate the 
values of / from the available parts of its spectral decomposition. A similar gluing of 
Singular Value Decompositions of submatrices of a sparse matrix is hampered by their 
different singular values. 
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